cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Policy verification failed

Hi,

I have policy install failures on all my gateways. 

Verification of policy from the security manager is failing.

Management and all gateways R80.10 with latest HFA. 

This has happened randomly. Nothing has changed recently.

Verification problems from install_policy.elg shows..

27/02/18 10:27:32,008 INFO com.checkpoint.management.dleserver.coresvc.intern al.LegacyPolicyLoader$PolicyLoadTask.doWork:175 [taskExecutor-27]: Completed to load legacy policy for product 'Threat'
27/02/18 10:27:45,203 ERROR com.checkpoint.management.dleserver.coresvc.intern al.PolicyLoaderTask.processExecutionErrors:105 [taskExecutor-29]: Execution for instance 3768cf4f-9242-4a5c-b491-951d0f1006fc had failed due to an execution exception
org.apache.commons.exec.ExecuteException: Process exited with an error: 1 (Exit value: 1)
at org.apache.commons.exec.DefaultExecutor.executeInt ernal(DefaultExecutor.java:377)
at org.apache.commons.exec.DefaultExecutor.access$200 (DefaultExecutor.java:46)
at org.apache.commons.exec.DefaultExecutor$1.run(Defa ultExecutor.java:188)
27/02/18 10:27:45,203 ERROR com.checkpoint.management.dleserver.coresvc.intern al.PolicyLoaderTask.processExecutionErrors:159 [taskExecutor-29]: All policy loading commands had failed due to execution exceptions
27/02/18 10:27:45,203 INFO com.checkpoint.management.dleserver.coresvc.intern al.PolicyLoaderTask.executeLoadCommands:184 [taskExecutor-29]: Loader executions completed
27/02/18 10:27:45,203 INFO com.checkpoint.management.dleserver.coresvc.intern al.PolicyLoaderTask.executeLoadCommands:204 [taskExecutor-29]: Command's full output:

There are no specifics SK articles for this, however I have tried moving mv $FWDIR/conf/last_dump.C $FWDIR/conf/last_dump.C.ORIG.

Any other suggestions?

6 Replies

Re: Policy verification failed

Sounds like SR candidate. Just from Java exceptions only I can think of is RAM. Either you are running out of it during policy push or it does not allocate enough max heap size in your default configuration (that would be based on max physically available). But that's a long shot I have to be honest..

Any other logs in messages maybe? Or cpd.elg

Re: Policy verification failed

Hi,

no other messages, and RAM is 32GB running very low!!

could be one for TAC

0 Kudos

Re: Policy verification failed

My first suggestion is to check thru How To Troubleshoot Policy Installation Issues - a good starting point for finding the reason of the issue! At least, policy install does only fail any other time, not everytime...

0 Kudos

Re: Policy verification failed

Hi,

I have been through this, and some similar SK articles and none of it is applicable.

the Java faults seems to be some corruption that might need TAC support.

it isn’t intermittent. It’s persistent and happening all the time now.

0 Kudos
Tom_Cripps
Copper

Re: Policy verification failed

Hi Jack,

We had something similar to this a few weeks ago, and our issue was our management server was looking for a file what wasn't there in our R80.10 suite but was looking for a file in a R77 suite. It'll be best to open up a case with your support provider as we had to install a policy using fwm -d load and we say right at the end it was looking for this file it couldn't find, until we created it again. 

See what they have to say, this helped a lot.

Re: Policy verification failed

Guys usually I'm very pro self-help but I strongly request that you open a TAC case for this. They will ask for more files, and push for a root cause fix for the benefit of the rest of our customers. 

Thanks